CN113765846A - Intelligent detection and response method and device for network abnormal behavior and electronic equipment - Google Patents

Intelligent detection and response method and device for network abnormal behavior and electronic equipment Download PDF

Info

Publication number
CN113765846A
CN113765846A CN202010486208.4A CN202010486208A CN113765846A CN 113765846 A CN113765846 A CN 113765846A CN 202010486208 A CN202010486208 A CN 202010486208A CN 113765846 A CN113765846 A CN 113765846A
Authority
CN
China
Prior art keywords
network
host
data
rule
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010486208.4A
Other languages
Chinese (zh)
Other versions
CN113765846B (en
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jike Xin'an Beijing Technology Co ltd
Original Assignee
Jike Xin'an Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jike Xin'an Beijing Technology Co ltd filed Critical Jike Xin'an Beijing Technology Co ltd
Priority to CN202010486208.4A priority Critical patent/CN113765846B/en
Publication of CN113765846A publication Critical patent/CN113765846A/en
Application granted granted Critical
Publication of CN113765846B publication Critical patent/CN113765846B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The embodiment of the disclosure provides a method, a device and an electronic device for intelligently detecting and responding network abnormal behaviors, wherein the method comprises the following steps: acquiring mirror image flow of a session layer through a switch, and extracting flow characteristics from the mirror image flow; training a checking rule based on the flow characteristics, wherein the checking rule comprises an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generation rule; marking each network request according to the verification rule to form a request log; and making basic response to each network request according to the request log. The embodiment of the disclosure adopts the bypass network data detection method to realize the network deception defense, realizes the network response at the session layer, and improves the network defense efficiency.

Description

Intelligent detection and response method and device for network abnormal behavior and electronic equipment
Technical Field
The disclosure relates to the technical field of computer networks, in particular to a method and a device for intelligently detecting and responding abnormal network behaviors and electronic equipment.
Background
The network spoofing defense technology is a concept newly appeared in recent years, namely, a network to be protected is spoofed by various false hosts, false services and even false users to think that a large number of stock hosts, services and active users exist in the network to be protected, so that an attacker cannot accurately locate a valid attack target. On one hand, the technology can delay the attack speed, increase the time cost of an attacker and reduce the accuracy of the attack; on the other hand, the method can effectively capture the attack behavior and the flow content of the attacker, and provides an important clue for tracing investigation and evidence obtaining.
At present, the network spoofing defense technology is often expanded based on the honeypot technology, the typical honeypot technology adopts a plurality of honeypot nodes to simulate real network service, and when an attacker scans a target network segment, once the honeypot nodes are scanned, the honeypot nodes can simulate the real service to respond, so that the purpose of spoofing the attacker is achieved.
On the basis of the honeypot technology, a technical scheme is expanded, such as a traffic redirection method, that is, serial detection equipment is added at an access link of a subnet switch and used for detecting scanning attack traffic. And for the traffic which is found to be an attack attempt, the traffic is redirected to the honeypot nodes to carry out interactive simulation, so that the deployment quantity of honeypots can be reduced, and one honeypot simulates and answers all responses facing to the non-real host.
However, the existing solutions have the technical problems that, for a typical honeypot deployment solution, great inconvenience is brought to the quantity and management of honeypots, and network spoofing is limited to honeypot entities, so that the spoofing is also easily identified by attackers. The method based on traffic redirection can effectively reduce the deployment quantity of honeypots, but the serial deployment mode easily brings single-point failure risk to the network, and all access requests can be forwarded after being analyzed by the serial equipment, so that the normal access delay of the network is increased.
Disclosure of Invention
The invention aims to provide a network abnormal behavior intelligent detection and response method, a network abnormal behavior intelligent detection and response device and electronic equipment, which can interfere malicious attacks in a session layer and improve the network security performance.
In a first aspect, the present disclosure provides a method for intelligently detecting and responding to network abnormal behavior, including:
acquiring mirror image flow of a session layer through a switch, and extracting flow characteristics from the mirror image flow;
training a checking rule based on the flow characteristics, wherein the checking rule comprises an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generation rule;
marking each network request according to the verification rule to form a request log;
and making basic response to each network request according to the request log.
Optionally, the flow characteristics include:
IP/MAC address distribution of data packets, including at least one of: source/destination IP and source/destination MAC of all interactive data;
the port and IP corresponding relation comprises at least one of the following relations: service port, service IP, up-down flow count of service port, first packet identification bit of TCP in each direction;
the response data network layer and transport layer fingerprints include at least one of: TTL value, IP service type value, TCP window size of IP data packet.
Alternatively to this, the first and second parts may,
the internal and external network checking rule comprises the following steps: calculating entropy values of the MAC of all interactive source data based on the IP addresses, and judging the IP of the external network and the MAC of the corresponding host when the entropy values are larger than a preset threshold; when the entropy is smaller than the preset threshold value, determining the IP of the intranet and the MAC of the corresponding host;
the checking rule of the survival host comprises the following steps: when the intranet IP has external payload communication, the IP is a survival host IP.
The existing network service checking rule comprises the following steps: when the IP is in a survival state and has uplink and downlink interactive flow, judging that the service port is effective; when only SYN/RST identification bit exists, judging that the service port is invalid;
the operating system network fingerprint generation rule comprises: and acquiring an IP data packet header and a TCP data packet header of each host IP, and generating a data response aiming at the IP according to TTL (transistor-transistor logic), service type or window size in the IP data packet header and the TCP data packet header.
Optionally, the request log includes: source IP, destination IP, source port, destination port, protocol type, whether the destination host IP is alive and whether the destination port is open.
Optionally, the making a basic response to each network request according to the request log includes:
aiming at TCP detection of an IP of a host which does not survive, randomly selecting a network fingerprint generation rule of an operating system to generate response data, and returning the response data through a communication interface; and/or the presence of a gas in the gas,
aiming at the detection of an Internet packet detector of an IP (Internet protocol) of a non-living host, response data is constructed according to the specific instruction content of the Internet packet detector and returned through a communication interface; and/or the presence of a gas in the gas,
aiming at TCP detection of an unopened port of a surviving host IP, generating response data according to an operating system network fingerprint generation rule of the host IP, and returning the response data through a communication interface; and/or the presence of a gas in the gas,
when the host IP is alive and the target port is open, aiming at unknown IP detection, sending corresponding RST data packets to the detector and the real service host port; or the like, or, alternatively,
when the host IP is alive and the target port is open, after the fact that the real service has responded to the SYN + ACK data packet is monitored, the RST data packet is generated according to the network fingerprint generation rule of the operating system of the host IP, and the RST data packet is sent to a detector randomly.
Optionally, the method further includes: sending an application data request to the honeypot; the honeypot returns corresponding application data according to the application data request; requesting, by the switch, to each of the networks to send the application data.
Optionally, the sending the application data request to the honeypot includes: and converting the source IP and the destination IP of the detector, converting the source IP into the honeypot communication IP, and converting the destination IP into the honeypot IP.
Optionally, the sending the application data request to the honeypot includes: analyzing the application data request through the honey switch, and sending the application data request to at least one honeypot according to the type of the application data request.
In a second aspect, the present disclosure provides an intelligent detection and response apparatus for network abnormal behavior, including:
the extraction unit is used for collecting mirror image flow of a session layer through a switch and extracting flow characteristics from the mirror image flow;
the training unit is used for training a check rule based on the flow characteristics, wherein the check rule comprises an internal and external network check rule, a survival host check rule, an existing network service check rule and an existing operating system network fingerprint generation rule;
the forming unit is used for marking each network request according to the verification rule to form a request log;
and the response unit is used for making basic response to each network request according to the request log.
In a third aspect, the present disclosure provides an electronic device comprising a processor and a memory, wherein the memory stores computer program instructions executable by the processor, and the processor implements the method steps of any one of the first aspect when executing the computer program instructions.
In a fourth aspect, the present disclosure provides a computer readable storage medium storing computer program instructions which, when invoked and executed by a processor, implement the method steps of any of the first aspects.
Compared with the prior art, the beneficial effects of the embodiment of the disclosure are that:
the embodiment of the disclosure adopts a bypass network data detection method to realize network deception defense, avoids the problem of single-point failure possibly occurring in a serial method, does not influence normal network service even if a network deception defense system implemented based on the scheme fails, and has little influence on actual network operation due to a deployment mode;
the self-learning rule generation method provided by the embodiment of the disclosure can effectively discover the existing hosts of the internal and external networks and the network segment and the services of the existing hosts, and also includes the rule characteristics of data encapsulation of IP (Internet protocol) and TCP (transmission control protocol) layers in each host and service, can complete self-adaptive configuration under the condition of no need of or less manual participation, and improves the convenience and accuracy of detection;
the embodiment of the disclosure provides a maintenance method based on a session for a bypass flow detection scheme, and on the premise of not needing deep response to access content, the maintenance method firstly responds to network access, so that the response speed is improved, attack access is confused, and the attack process is delayed. The fast response SYN + ACK packet prevents the real host from interrupting communication through the RST packet, and the return packet fully considers the similarity of the data packet and the fingerprint of the real host. This effectively enforces session maintenance and spoofing for network scanning and probing. In addition, the network behavior difference between the real existence service and the fake service can be effectively confused by methods such as Internet packet explorer detection and fake response of the real existence service.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings can be obtained according to the drawings without creative efforts for those skilled in the art.
Fig. 1 is a schematic flow chart of a network abnormal behavior intelligent detection and response method provided in the embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of an intelligent detection and response system for network abnormal behavior according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of an internal structure of an intelligent detection and response system for network abnormal behavior according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an intelligent network abnormal behavior detection and response system according to yet another embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an intelligent network abnormal behavior detection and response system according to yet another embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an intelligent network abnormal behavior detection and response system according to yet another embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an intelligent network abnormal behavior detection and response apparatus according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in the presently disclosed embodiments and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "a plurality" typically includes at least two, but does not exclude the presence of at least one.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
It should be understood that although the terms first, second, third, etc. may be used to describe technical names in embodiments of the present disclosure, the technical names should not be limited to the terms. These terms are only used to distinguish between technical names. For example, a first check signature may also be referred to as a second check signature, and similarly, a second check signature may also be referred to as a first check signature, without departing from the scope of embodiments of the present disclosure.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a good or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such good or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a commodity or system that includes the element.
In addition, the sequence of steps in each method embodiment described below is only an example and is not strictly limited.
Example one
Referring to fig. 1, the present disclosure provides an intelligent detection and response method for network abnormal behavior, which specifically includes the following steps:
step S102: and acquiring the mirror image flow of the session layer through a switch, and extracting flow characteristics from the mirror image flow.
As shown in fig. 2, the network abnormal behavior intelligent detection and response system is connected to a mirror flow interface of a target network, and mirror flow data of a key session layer communicating with the network is collected through a subnet switch, the mirror flow data is completely the same as data received by each server in normal network service, and the mirror flow data is used for generating a subsequent detection rule on one hand and for performing abnormal detection on the other hand.
Wherein, the flow characteristics include but are not limited to the following:
(1) IP/MAC address distribution of data packets: source/destination IP and source/destination MAC including all interactive data;
(2) port and IP correspondence: service ports and service IPs of interactive data and uplink and downlink flow counting of the ports, if no flow exists, first packet identification bits of each direction of the TCP are recorded;
(3) the response data network layer and transmission layer fingerprints, which are the fingerprint characteristics of network data sent by the local network, are distinguished by taking an IP + port as an identifier, and include: TTL value of IP packet, IP service type value (TOS), TCP window size, etc.;
the overall logical structure of the network abnormal behavior detection and response system is shown in fig. 3. Aiming at a subnet to be protected, all mirror image flows of the subnet are obtained through a bypass, and a white list detection rule is formed based on the IP/MAC address of the existing running host, the network protocol fingerprint characteristics of the existing host and the existing service list of each running host of the subnet.
And detecting subsequent flow based on the rule, and generating rule fake response data based on the rule session to interact with an attacker and maintain an attack attempt session under the condition that an abnormal scanning attempt is found based on the detection rule.
Meanwhile, the response system can interact with the honeypots accessed to the background to obtain more real interaction flow for further subsequent interaction with the attacker, so that network cheating on the attacker is realized.
Step S104: and training a checking rule based on the flow characteristics, wherein the checking rule comprises an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generation rule.
Specifically, the checking rule includes:
(1) internal and external network judgment rules: and judging the IP/MAC of the internal network and the external network based on the aggregation association relation of the MAC/IP data for a period of time. That is, the IP/MAC with a particularly high aggregation level is the IP and the corresponding host MAC in the network, and the data with a significantly low aggregation level is the external network IP and the switch MAC forwarded by the switch. On this basis, for data identifying the source MAC as the switch MAC address, the corresponding destination IP address is also the intranet IP. For example, the entropy may be evaluated by calculating the entropy of the IP address distribution corresponding to the MAC, the larger the entropy of the MAC, the more likely the corresponding IP is the outer network IP, otherwise, the inner network IP is the inner network IP, a threshold is taken based on the entropy, usually, the entropy has an obvious difference between the inner network MAC and the outer network MAC, and the threshold can be obtained easily.
(2) Survival host decision rule: on the basis of determining the internal network and the external network, which IP has the corresponding real existing survival host can be further confirmed based on the flow data, namely the IP address with the tight binding relationship between the IP and the MAC represents that the IP is the survival host IP of the network; for IP with untight association of IP and MAC, expressing as an external network IP; in the case where the IP address corresponds to only the broadcast MAC, this indicates that the IP address is an address that does not survive in the network. In a period of traffic, a specific intranet IP address corresponds to only one MAC address, or only one MAC address (non-broadcast address) in most data, and the IP can be regarded as an IP of a surviving host, that is, when the intranet IP has an external payload communication, the IP is a surviving host, otherwise, the IP is a non-surviving host.
(3) Existing network service decision rules: in the known live IP, based on the port information obtained from the traffic and whether there is uplink and downlink interactive traffic, it can be determined which ports are open, and for an IP/port record having only an identification bit such as SYN/RST, it indicates that the port is not open.
(4) Operating system network fingerprint generation rules: according to the characteristics of the IP data packet header and the TCP data packet header of each IP acquired for a long time, the average value, the median value and the like of various values such as TTL, service Type (TOS), window size and the like in the data packet are summarized to be used as a data packet generation rule for carrying out data response on the IP.
In addition, the rules generated by automatic learning can be continuously adjusted and updated based on the network condition, and various rules can be further adjusted in a manual marking mode if necessary.
Step S106: and marking each network request according to the verification rule to form a request log.
The request log includes: source IP, destination IP, source port, destination port, protocol type, whether the destination host IP is alive and whether the destination port is open.
Each network request can be marked, not only abnormal requests but also normal requests are marked, and a request log is formed as an information basis for the next operation, wherein the specific information comprises:
< Source IP, destination IP, Source port, destination port, protocol type (TCP/UDP/ICMP), whether destination host IP is alive, whether destination port is open >
Step S108: and making basic response to each network request according to the request log.
The intelligent detection and response system for network abnormal behavior carries out different responses according to different characteristics aiming at a service which is judged to be nonexistent IP or nonexistent IP and a service which exists, and all responses aiming at TCP (transmission control protocol) and the sequence number is the sequence number +1 of a request packet in order to simulate the real response effect, and specifically comprises the following steps:
(1) for TCP detection without IP, randomly selecting a network fingerprint generation rule of an operating system to generate response data and returning the response data through a communication interface;
(2) aiming at the detection of a PING (packet Internet grope) Internet packet searcher without an IP, establishing a response data packet for response according to the specific instruction content of the Internet packet searcher;
(3) aiming at TCP detection of an unopened port of a host, generating a data packet according to an operating system network fingerprint of the host and returning the data packet through a communication interface;
(4) for the case where there is a host and there is a real service, bypass blocking may be implemented for unknown IP probing, i.e. corresponding RST packets are sent to both the attacker (probe) and the real service host port, blocking the connection.
After the bypass monitoring shows that the real service has responded to the SYN + ACK data packet, RST data packets are generated according to the fingerprint template of the host computer network, and a plurality of RST data packets are randomly sent to the detector. This can confuse the difference of fake data with real services.
In the response mode, the network attack is quickly responded in the session layer, so that the network attack is effectively and timely puzzled to be incapable of judging which server is the real server, the time for identifying and judging the real server by a network attacker is effectively reduced, the efficiency of the network attack is reduced, and the response time is increased for network maintenance; meanwhile, the purpose of confusing the network attack is further increased by simulating the service content of the network attack request.
As an optional embodiment, a honeypot may be added to the network abnormal behavior intelligent detection and response system, so as to further start the purpose of confusing network attacks. Specifically, an external honey pot mode as shown in fig. 4 and an internal honey pot mode as shown in fig. 5 can be adopted, the external honey pot has the advantages that the honey pot can be replaced at any time, the operation is convenient, and the internal honey pot has the advantages of high system response speed and convenience in hardware maintenance. For the case of externally arranging a plurality of honeypots, the method shown in fig. 6 can be adopted, the honeypots are managed by externally connecting a honeynet exchange, and the request response content obtained from one or more honeypots is distributed according to the difference of the network request content.
Specifically, the intelligent detection and response method for network abnormal behavior further comprises the following steps: sending an application data request to the honeypot; the honeypot returns corresponding application data according to the application data request; requesting, by the switch, to each of the networks to send the application data.
The sending of the application data request to the honeypot may be performed before or after the basic answer is made, and whether to initiate the interactive request to the honeypot is selected according to the response policy. If various services are not supported by the honeypot, the services do not need to be sent to the honeypot.
If the request is sent to the honeypot, the specific time sequence is consistent with the time sequence of the request sent by the attacker to the switch, namely the system only converts the source IP and the target IP of the attacker, the source IP is converted into the honeypot communication IP of the detection and response system, the target IP is converted into the honeypot IP, then the checksum in various data packets is recalculated, and the data is forwarded to the honeypot system to obtain the response information of the honeypot.
If the honeypot is not accessed, for the TCP detection, the unloaded AKC response data can be continuously returned to the attacker on the basis of the step S108, and the detection efficiency of the attacker can be reduced by maintaining the connection.
On the basis of receiving honeypot response data, certain data processing is required to be carried out and then the data is returned to an attacker, and the specific method is as follows:
and immediately replacing the source/destination IP of the honeypot response data with the target IP detected by the attacker and the IP of the attacker, recalculating various checksums, and then sending the modified data packet to the attacker.
Optionally, the sending the application data request to the honeypot includes: and converting the source IP and the destination IP of the detector, converting the source IP into the honeypot communication IP, and converting the destination IP into the honeypot IP.
Optionally, the sending the application data request to the honeypot includes: analyzing the application data request through the honey switch, and sending the application data request to at least one honeypot according to the type of the application data request.
The embodiment of the disclosure adopts a bypass network data detection method to realize network deception defense, avoids the problem of single-point failure possibly occurring in a serial method, does not influence normal network service even if a network deception defense system implemented based on the scheme fails, and has little influence on actual network operation due to a deployment mode;
the self-learning rule generation method provided by the embodiment of the disclosure can effectively discover the existing hosts of the internal and external networks and the network segment and the services of the existing hosts, and also includes the rule characteristics of data encapsulation of IP (Internet protocol) and TCP (transmission control protocol) layers in each host and service, can complete self-adaptive configuration under the condition of no need of or less manual participation, and improves the convenience and accuracy of detection;
the embodiment of the disclosure provides a session maintenance method for a bypass flow detection scheme, namely, a fast response SYN + ACK packet is used to prevent a real host from interrupting communication through a RST packet, and the return packet fully considers the similarity between a data packet and a fingerprint of the real host. This effectively enforces session maintenance and spoofing for network scanning and probing. In addition, the network behavior difference between the real existence service and the fake service can be effectively confused by methods such as Internet packet explorer detection and fake response of the real existence service.
Example two
Please refer to fig. 7, the present disclosure provides an intelligent detection and response system for network abnormal behavior, the detection and response system is nested in the whole network interaction system in a form of hardware or software modules, as shown in fig. 2, a network access device obtains network data from a public network, forwards the network data to a server through a subnet switch, and shunts the data to the intelligent detection and response system for network abnormal behavior, an internal module of the intelligent detection and response system for network abnormal behavior is implemented in a software or hardware manner, the same functional module has the same technical effect as that of the first embodiment, which is not described herein again, and the intelligent detection and response system for network abnormal behavior specifically includes:
the extracting unit 702 is configured to collect mirror traffic of a session layer through a switch, and extract traffic characteristics from the mirror traffic.
Wherein, the flow characteristics include but are not limited to the following:
(1) IP/MAC address distribution of data packets: source/destination IP and source/destination MAC including all interactive data;
(2) port and IP correspondence: service ports and service IPs of interactive data and uplink and downlink flow counting of the ports, if no flow exists, first packet identification bits of each direction of the TCP are recorded;
(3) the response data network layer and transmission layer fingerprints, which are the fingerprint characteristics of network data sent by the local network, are distinguished by taking an IP + port as an identifier, and include: TTL value of IP packet, IP service type value (TOS), TCP window size, etc.;
the verification unit 704: and the system is used for training a checking rule based on the flow characteristics, wherein the checking rule comprises an internal and external network checking rule, a living host checking rule, an existing network service checking rule and an existing operating system network fingerprint generation rule.
Specifically, the checking rule includes:
(1) internal and external network judgment rules: and judging the IP/MAC of the internal network and the external network based on the aggregation association relation of the MAC/IP data for a period of time. That is, the IP/MAC with a particularly high aggregation level is the IP and the corresponding host MAC in the network, and the data with a significantly low aggregation level is the external network IP and the switch MAC forwarded by the switch. On this basis, for data identifying the source MAC as the switch MAC address, the corresponding destination IP address is also the intranet IP.
(2) Survival host decision rule: on the basis of determining the internal network and the external network, which IP has the corresponding real existing survival host can be further confirmed based on the flow data, namely the IP address with the tight binding relationship between the IP and the MAC represents that the IP is the survival host IP of the network; for IP with untight association of IP and MAC, expressing as an external network IP; in the case where the IP address corresponds to only the broadcast MAC, this indicates that the IP address is an address that does not survive in the network.
(3) Existing network service decision rules: in the known live IP, based on the port information obtained from the traffic and whether there is uplink and downlink interactive traffic, it can be determined which ports are open, and for an IP/port record having only an identification bit such as SYN/RST, it indicates that the port is not open.
(4) Operating system network fingerprint generation rules: according to the characteristics of the IP data packet header and the TCP data packet header of each IP acquired for a long time, the average value, the median value and the like of various values such as TTL, service Type (TOS), window size and the like in the data packet are summarized to be used as a data packet generation rule for carrying out data response on the IP.
In addition, the rules generated by automatic learning can be continuously adjusted and updated based on the network condition, and various rules can be further adjusted in a manual marking mode if necessary.
The forming unit 706: and the system is used for marking each network request according to the check rule to form a request log.
The request log includes: source IP, destination IP, source port, destination port, protocol type, whether the destination host IP is alive and whether the destination port is open.
The response unit 708: for making a base reply to each of the network requests according to the request log.
The intelligent detection and response system for network abnormal behavior carries out different responses according to different characteristics aiming at a service which is judged to be nonexistent IP or nonexistent IP and a service which exists, and all responses aiming at TCP (transmission control protocol) and the sequence number is the sequence number +1 of a request packet in order to simulate the real response effect, and specifically comprises the following steps:
(1) for TCP detection without IP, randomly selecting a network fingerprint generation rule of an operating system to generate response data and returning the response data through a communication interface;
(2) aiming at the detection of an Internet packet detector without IP, constructing a response data packet according to the specific instruction content of the Internet packet detector for response;
(3) aiming at TCP detection of an unopened port of a host, generating a data packet according to an operating system network fingerprint of the host and returning the data packet through a communication interface;
(4) for the case where there is a host and there is a real service, bypass blocking may be implemented for unknown IP probing, i.e. corresponding RST packets are sent to both the attacker (probe) and the real service host port, blocking the connection.
After the bypass monitoring shows that the real service has responded to the SYN + ACK data packet, RST data packets are generated according to the fingerprint template of the host computer network, and a plurality of RST data packets are randomly sent to the detector. This can confuse the difference of fake data with real services.
In the response mode, the network attack is quickly responded in the session layer, so that the network attack is effectively and timely puzzled to be incapable of judging which server is the real server, the time for identifying and judging the real server by a network attacker is effectively reduced, the efficiency of the network attack is reduced, and the response time is increased for network maintenance; meanwhile, the purpose of confusing the network attack is further increased by simulating the service content of the network attack request.
As an optional embodiment, a honeypot may be added to the network abnormal behavior intelligent detection and response system, so as to further start the purpose of confusing network attacks. Specifically, an external honey pot mode as shown in fig. 4 and an internal honey pot mode as shown in fig. 5 can be adopted, the external honey pot has the advantages that the honey pot can be replaced at any time, the operation is convenient, and the internal honey pot has the advantages of high system response speed and convenience in hardware maintenance. For the case of externally arranging a plurality of honeypots, the method shown in fig. 6 can be adopted, the honeypots are managed by externally connecting a honeynet exchange, and the request response content obtained from one or more honeypots is distributed according to the difference of the network request content.
The embodiment of the disclosure adopts a bypass network data detection method to realize network deception defense, avoids the problem of single-point failure possibly occurring in a serial method, does not influence normal network service even if a network deception defense system implemented based on the scheme fails, and has little influence on actual network operation due to a deployment mode;
the self-learning rule generating unit provided by the embodiment of the disclosure can effectively discover existing hosts of the internal and external networks and the network segment and services of the existing hosts, and also includes rule characteristics of data encapsulation of IP (Internet protocol) and TCP (transmission control protocol) layers in each host and service, so that self-adaptive configuration can be completed without or with less manual participation, and the convenience and accuracy of detection are improved;
the embodiment of the disclosure provides a session maintenance unit for a bypass flow detection scheme, that is, a fast response SYN + ACK packet is used to prevent a real host from interrupting communication through a RST packet, and a loopback packet fully considers the similarity between a data packet and a fingerprint of the real host. This effectively enforces session maintenance and spoofing for network scanning and probing. In addition, the network behavior difference between the real existence service and the fake service can be effectively confused by methods such as Internet packet explorer detection and fake response of the real existence service.
EXAMPLE III
The present disclosure provides an electronic device comprising a processor and a memory, the memory storing computer program instructions executable by the processor, the processor implementing the method steps of any of the first aspect when executing the computer program instructions.
Example four
The present disclosure provides a computer readable storage medium storing computer program instructions which, when invoked and executed by a processor, implement the method steps of any of the first aspects.
Referring now to FIG. 8, a schematic diagram of an electronic device suitable for use in implementing the present disclosure is shown. The terminal device in the embodiments of the present disclosure may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle terminal (e.g., a car navigation terminal), and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 8, an electronic device may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 801 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage means 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the electronic apparatus are also stored. The processing apparatus 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
Generally, the following devices may be connected to the I/O interface 805: input devices 806 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 807 including, for example, a Liquid Crystal Display (LCD), speakers, vibrators, and the like; storage 808 including, for example, magnetic tape, hard disk, etc.; and a communication device 809. The communication means 809 may allow the electronic device to communicate with other devices wirelessly or by wire to exchange data. While fig. 8 illustrates an electronic device having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication means 809, or installed from the storage means 808, or installed from the ROM 802. The computer program, when executed by the processing apparatus 801, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (10)

1. An intelligent detection and response method for network abnormal behaviors is characterized by comprising the following steps:
acquiring mirror image flow of a session layer through a switch, and extracting flow characteristics from the mirror image flow;
training a checking rule based on the flow characteristics, wherein the checking rule comprises an internal and external network checking rule, a survival host checking rule, an existing network service checking rule and an existing operating system network fingerprint generation rule;
marking each network request according to the verification rule to form a request log;
and making basic response to each network request according to the request log.
2. The method of claim 1, wherein the flow characteristics comprise:
IP/MAC address distribution of data packets, including at least one of: source/destination IP and source/destination MAC of all interactive data;
the port and IP corresponding relation comprises at least one of the following relations: service port, service IP, up-down flow count of service port, first packet identification bit of TCP in each direction;
the response data network layer and transport layer fingerprints include at least one of: TTL value, IP service type value, TCP window size of IP data packet.
3. The method of claim 2,
the internal and external network checking rule comprises the following steps: calculating entropy values of the MAC of all interactive source data based on the IP addresses, and judging the IP of the external network and the MAC of the corresponding host when the entropy values are larger than a preset threshold; when the entropy is smaller than the preset threshold value, determining the IP of the intranet and the MAC of the corresponding host;
the checking rule of the survival host comprises the following steps: when the intranet IP has external payload communication, the IP is a survival host IP;
the existing network service checking rule comprises the following steps: when the IP is in a survival state and has uplink and downlink interactive flow, judging that the service port is effective; when only SYN/RST identification bit exists, judging that the service port is invalid;
the operating system network fingerprint generation rule comprises: and acquiring an IP data packet header and a TCP data packet header of each host IP, and generating a data response aiming at the IP according to TTL (transistor-transistor logic), service type or window size in the IP data packet header and the TCP data packet header.
4. The method of claim 1, wherein the request log comprises:
source IP, destination IP, source port, destination port, protocol type, whether the destination host IP is alive and whether the destination port is open.
5. The method of claim 4, wherein said making a base response to each of said network requests based on said request log comprises:
aiming at TCP detection of an IP of a host which does not survive, randomly selecting a network fingerprint generation rule of an operating system to generate response data, and returning the response data through a communication interface; and/or the presence of a gas in the gas,
aiming at the detection of an Internet packet detector of an IP (Internet protocol) of a non-living host, response data is constructed according to the specific instruction content of the Internet packet detector and returned through a communication interface; and/or the presence of a gas in the gas,
aiming at TCP detection of an unopened port of a surviving host IP, generating response data according to an operating system network fingerprint generation rule of the host IP, and returning the response data through a communication interface; and/or the presence of a gas in the gas,
when the host IP is alive and the target port is open, aiming at unknown IP detection, sending corresponding RST data packets to the detector and the real service host port; or the like, or, alternatively,
when the host IP is alive and the target port is open, after the fact that the real service has responded to the SYN + ACK data packet is monitored, the RST data packet is generated according to the network fingerprint generation rule of the operating system of the host IP, and the RST data packet is sent to a detector randomly.
6. The method of claim 5, further comprising:
sending an application data request to the honeypot;
the honeypot returns corresponding application data according to the application data request;
requesting, by the switch, to each of the networks to send the application data.
7. The method of claim 6, wherein sending an application data request to a honeypot comprises:
and converting the source IP and the destination IP of the detector, converting the source IP into the honeypot communication IP, and converting the destination IP into the honeypot IP.
8. The method of claim 6, wherein sending an application data request to a honeypot comprises:
analyzing the application data request through the honey switch, and sending the application data request to at least one honeypot according to the type of the application data request.
9. An intelligent detection and response device for network abnormal behaviors, which is characterized by comprising:
the extraction unit is used for collecting mirror image flow of a session layer through a switch and extracting flow characteristics from the mirror image flow;
the training unit is used for training a check rule based on the flow characteristics, wherein the check rule comprises an internal and external network check rule, a survival host check rule, an existing network service check rule and an existing operating system network fingerprint generation rule;
the forming unit is used for marking each network request according to the verification rule to form a request log;
and the response unit is used for making basic response to each network request according to the request log.
10. An electronic device comprising a processor and a memory, the memory storing computer program instructions executable by the processor, the processor implementing the method steps of any of claims 1-9 when executing the computer program instructions.
CN202010486208.4A 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment Active CN113765846B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010486208.4A CN113765846B (en) 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010486208.4A CN113765846B (en) 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment

Publications (2)

Publication Number Publication Date
CN113765846A true CN113765846A (en) 2021-12-07
CN113765846B CN113765846B (en) 2023-08-04

Family

ID=78782670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010486208.4A Active CN113765846B (en) 2020-06-01 2020-06-01 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment

Country Status (1)

Country Link
CN (1) CN113765846B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363087A (en) * 2022-01-27 2022-04-15 杭州默安科技有限公司 Scanner countermeasure method and system based on bypass interference
CN114363041A (en) * 2021-12-31 2022-04-15 河南信大网御科技有限公司 Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint
CN114928638A (en) * 2022-06-16 2022-08-19 上海斗象信息科技有限公司 Network behavior analysis method and device and monitoring equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102204170A (en) * 2008-10-31 2011-09-28 惠普开发有限公司 Method and apparatus for network intrusion detection
CN107623661A (en) * 2016-07-15 2018-01-23 阿里巴巴集团控股有限公司 Block system, the method and device of access request, server
CN110049022A (en) * 2019-03-27 2019-07-23 深圳市腾讯计算机系统有限公司 A kind of domain name access control method, device and computer readable storage medium
CN110351237A (en) * 2019-05-23 2019-10-18 中国科学院信息工程研究所 Honey jar method and device for numerically-controlled machine tool
EP3621265A1 (en) * 2018-09-04 2020-03-11 Nokia Technologies Oy Method and apparatus for detecting and mitigating information security threats in the internet

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102204170A (en) * 2008-10-31 2011-09-28 惠普开发有限公司 Method and apparatus for network intrusion detection
CN107623661A (en) * 2016-07-15 2018-01-23 阿里巴巴集团控股有限公司 Block system, the method and device of access request, server
EP3621265A1 (en) * 2018-09-04 2020-03-11 Nokia Technologies Oy Method and apparatus for detecting and mitigating information security threats in the internet
CN110049022A (en) * 2019-03-27 2019-07-23 深圳市腾讯计算机系统有限公司 A kind of domain name access control method, device and computer readable storage medium
CN110351237A (en) * 2019-05-23 2019-10-18 中国科学院信息工程研究所 Honey jar method and device for numerically-controlled machine tool

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363041A (en) * 2021-12-31 2022-04-15 河南信大网御科技有限公司 Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint
CN114363041B (en) * 2021-12-31 2023-08-11 河南信大网御科技有限公司 Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint
CN114363087A (en) * 2022-01-27 2022-04-15 杭州默安科技有限公司 Scanner countermeasure method and system based on bypass interference
CN114928638A (en) * 2022-06-16 2022-08-19 上海斗象信息科技有限公司 Network behavior analysis method and device and monitoring equipment

Also Published As

Publication number Publication date
CN113765846B (en) 2023-08-04

Similar Documents

Publication Publication Date Title
US9787700B1 (en) System and method for offloading packet processing and static analysis operations
US10200384B1 (en) Distributed systems and methods for automatically detecting unknown bots and botnets
CN109660539B (en) Method and device for identifying defect-losing equipment, electronic equipment and storage medium
WO2022083353A1 (en) Abnormal network data detection method and apparatus, computer device, and storage medium
Aiello et al. DNS tunneling detection through statistical fingerprints of protocol messages and machine learning
CN105430011B (en) A kind of method and apparatus detecting distributed denial of service attack
US20150229669A1 (en) Method and device for detecting distributed denial of service attack
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
CN109391635B (en) Data transmission method, device, equipment and medium based on bidirectional gatekeeper
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN111526132B (en) Attack transfer method, device, equipment and computer readable storage medium
CN111314328A (en) Network attack protection method and device, storage medium and electronic equipment
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN112468518A (en) Access data processing method and device, storage medium and computer equipment
Garant et al. Mining botnet behaviors on the large-scale web application community
Yen Detecting stealthy malware using behavioral features in network traffic
CN112583827B (en) Data leakage detection method and device
CN113518042B (en) Data processing method, device, equipment and storage medium
US10237287B1 (en) System and method for detecting a malicious activity in a computing environment
CN115102781B (en) Network attack processing method, device, electronic equipment and medium
CN114760216B (en) Method and device for determining scanning detection event and electronic equipment
US20110216770A1 (en) Method and apparatus for routing network packets and related packet processing circuit
CN116015721A (en) Illegal external connection detection method, system, electronic equipment and medium
CN112615713B (en) Method and device for detecting hidden channel, readable storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant